When you conduct your network security assessments for your clients, are there any very common security weaknesses you come across in most of your client networks? I always find it intriguing to gauge the common sorts of security issues found in most networks. I’d hazard a guess that most serious network administrators will proactively run vulnerability assessment tools themselves, prior (and ideally on regular schedules) to an external security firm coming in and doing their independent there review. I just wondered if there are common security issues and vulnerabilities you come up against again and again in your reviews? Any tales and feedback most welcome. Thanks

Weak passwords have already been mentioned.... I have pretty good success taking about 10 common passwords and spraying them across ALL the services I discover. Vmware, vnc, SMB, telnet, ssh.... everything.... In large environments, I usually hit at least one, which is typically the first step in total pwnag3 because of all the stuff already mentioned. Defense is hard. Glad I'm on offense.

- Sync'd local admin pws - Lots of LM hashing in use - Tons of exposed 445 on EVERYTHING which makes PTH and psexec possible

There's a group policy that disallows network authentication for the local users specified. We typically make organization's roll that out after we've run a train on them using those techniques. It ruins everything for us or whoever the next year, but it's simple and effective. Disallowing delegation for privileged accounts is huge too.

Another fun one is if they're setting the local admin's password via group policy preferences and you get a standard domain user account. You can read the groups.xml on the domain controller and there are scripts floating around that'll decrypt the encrypted password in it because Microsoft disclosed the key they used.

That's a cool idea and I think that would work well with what I usually recommend.... which is to implement GPO based FWs and block 445 inbound, except from a jump box or from a small subnet of IPs.

I know 445 can also be used for installing software remotely, but again, that could be accomplished by only allowing inbound 445 from a subset of the network/jump box.

I was recently at a client that implemented something really cool called CyberArk, ever heard of it? It changes the local admin passwords to crazy random passwords, every hour! It keeps track of all of them and allows SSO through the CyberArk. Bad ass!

cd1zz wrote:That's a cool idea and I think that would work well with what I usually recommend.... which is to implement GPO based FWs and block 445 inbound, except from a jump box or from a small subnet of IPs.

I know 445 can also be used for installing software remotely, but again, that could be accomplished by only allowing inbound 445 from a subset of the network/jump box.

I've personally had a difficult time getting people to implement client-side firewall changes. There's always a ton of push-back. I don't know if the sys admins just aren't as comfortable on the network side or what the deal is, but something that should be simple always seems to break everything. That's definitely a good strategy when implemented properly though.

With the network logon GPO, there's a corresponding one that disallows RDP for specified users, which is necessary since that's treated as an interactive logon, not a network logon. On the attacking side, that obviously requires cracking the hash instead of passing it, but it's not like that doesn't happen frequently Again, disabling the service or client-side firewalls could address that as well. I guess a blanket GPO is a good safety net.

cd1zz wrote:I was recently at a client that implemented something really cool called CyberArk, ever heard of it? It changes the local admin passwords to crazy random passwords, every hour! It keeps track of all of them and allows SSO through the CyberArk. Bad ass!

I've never used it personally, but it's one I suggest be researched for anyone looking at enterprise password management. I saw one that did something similar, but it only changed after it was checked out by a user, effectively providing one-time passwords. The ManageEngine utility looks promising too. It even supports multi-factor, so you need a phone or RSA token in order to check out passwords.